On Oct 3, 2011 8:48 AM, "Bob McConnell" <r...@cbord.com> wrote: > > From: shawn wilson > > > On Sun, Oct 2, 2011 at 02:32, Shlomi Fish <shlo...@shlomifish.org> wrote: > >> On Sun, 2 Oct 2011 00:07:34 +0300 > >> "Octavian Rasnita" <orasn...@gmail.com> wrote: > >> > >>> Hi, > >>> > >>> Does anyone have some suggestions for what restrictions should be used on a site to be secure? > >>> Do you know some sites where I can get information about this subject? > >>> Most of the text I read said that the variables should be filtered before inserting them in DB, but never gave details for what should be filtered. > >>> > >> > >> Well, the SQL injections that you mention are one vector of attack against > >> web-sites, but are not the only one. See: > >> > >> * http://shlomif-tech.livejournal.com/35301.html - my post about Code/Markup > >> injection and its prevention. > >> > >> * http://en.wikipedia.org/wiki/Cross-site_scripting > >> > >> * http://en.wikipedia.org/wiki/Cross-site_request_forgery > >> > > > > since we're on web security, my favorite general purpose reading is: > > http://code.google.com/p/browsersec/wiki/Main > > > > also this (which iirc, some browsers don't or google say are dangerous > > - there doesn't seem to be any script running on this page - cursory > > look): > > http://ha.ckers.org/xss.html > > > > For general guidelines and tools, take a look at the OWASP Projects at < http://www.owasp.org/>. >
Good point. I always assume that everyone has heard of the top 10 and the like so forget to put it out there. But, I'll just say, if you think about what you're doing and know a little about security you'll be in the upper 50%. If you run scans, you'll be in the upper 25%. After that it gets hard. However the point is that its not hard to rise above the lowest hanging fruit (which isn't saying much for the state of ecommerse in general but is good for keeping inexperienced programmers with a little knowledge out of the ruffage).